{ "id": "b0733939-0adb-48b6-993c-96655ee12c93", "created_at": "2026-04-06T00:17:46.715521Z", "updated_at": "2026-04-10T03:36:50.367165Z", "deleted_at": null, "sha1_hash": "bc9427cc952696d0cc49504bc987a87015c67c95", "title": "Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2129494, "plain_text": "Operation “Armor Piercer:” Targeted attacks in the Indian\r\nsubcontinent using commercial RATs\r\nBy Asheer Malhotra\r\nPublished: 2021-09-23 · Archived: 2026-04-05 20:04:22 UTC\r\nBy Asheer Malhotra, Vanja Svajcer and Justin Thattil.\r\nCisco Talos is tracking a campaign targeting government personnel in India using themes and tactics\r\nsimilar to APT36 (aka Mythic Leopard and Transparent Tribe).\r\nThis campaign distributes malicious documents and archives to deliver the Netwire and Warzone\r\n(AveMaria) RATs.\r\nThe lures used in this campaign are predominantly themed around operational documents and guides such\r\nas those pertaining to the “Kavach” (hindi for “armor”) two-factor authentication (2FA) application\r\noperated by India’s National Informatics Centre (NIC).\r\nThis campaign utilizes compromised websites and fake domains to host malicious payloads, another tactic\r\nsimilar to Transparent Tribe.\r\nWhat’s new?\r\nCisco Talos recently discovered a malicious campaign targeting government employees and military personnel in\r\nthe Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka\r\nNetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets,\r\npredominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and\r\nI.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs)\r\ncontaining loaders for the RATs.\r\nApart from artifacts involved in the infection chains, we’ve also discovered the use of server-side scripts to carry\r\nout operational tasks such as sending out malicious emails and maintaining presence on compromised sites via\r\nweb shells. This provides additional insight into the attacker’s operational TTPs.\r\nSome of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe and\r\nSideCopy APT groups, including the use of compromised websites and fake domains.\r\nHow did it work?\r\nThis campaign uses a few distinct, yet simple, infection chains. Most infections use a maldoc that downloads and\r\ninstruments a loader. The loader is responsible for downloading or decrypting (if embedded) the final RAT\r\npayload and deploying it on the infected endpoint. In some cases, we’ve observed the use of malicious archives\r\ncontaining a combination of maldocs, loaders and decoy images. The RAT payloads are relatively unmodified,\r\nwith the command and control (C2) IPs and domains being the most pivotal configuration information.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 1 of 25\n\nSo what?\r\nThis campaign illustrates another instance of a highly motivated threat actor using a set of commercial and\r\ncommodity RAT families to infect their victims. These RATs are packed with many features out-of-the-box to\r\nachieve comprehensive control over the infected systems. It is also highly likely that these malware families\r\nestablish footholds into the victim’s networks to deploy additional plugins and modules.\r\nInfection chains\r\nThe earliest instance of this campaign was observed in December 2020 utilizing malicious Microsoft Office\r\ndocuments (maldocs). These maldocs contain malicious VBA macros that download and execute the next stage of\r\nthe infection — the malware loader.\r\nThe maldocs’ content ranges from security advisories, to meeting schedules, to software installation notes. These\r\nmaldocs contain malicious macros that download and execute the next stage payload on the victim’s endpoint. The\r\nfinal payload is usually a RAT that can perform a multitude of malicious operations on the infected endpoint.\r\nThe maldocs pose as documents related to either meeting schedules pertinent to the victims, or  as technical guides\r\nrelated to the Government of India’s IT infrastructure. It is likely that these files are either delivered as\r\nattachments or links in spear-phishing emails where the verbiage is meant to social engineer the victims into\r\nopening the maldoc attachments or downloading them from an attacker-controlled link.\r\nSome file names used are:\r\nKAVACH-INSTALLATION-VER-1.docm\r\nSecurity-Updates.docm\r\nOnline meeting schedule for OPS.doc\r\nschedule2021.docm\r\nInterestingly, we’ve observed the use of Kavach-themed maldocs and binaries being used in recent SideCopy\r\nattacks.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 2 of 25\n\nMalicious macro in maldoc downloading and executing the next stage payload.\r\nStage 2 — Loaders\r\nThe payload is usually loader binaries aimed at instrumenting the final malware payload. These loaders will use\r\neither of the following techniques to instrument the final malware payloads on the endpoint:\r\nDownload payload from remote location and activate using process hollowing into itself or a target\r\nprocess.\r\nDecode embedded payload and activate using process hollowing.\r\nDepending on the variants, the loaders may also perform the following peripheral activities:\r\nDisable AMSI scanning by patching the first six bytes of the “AmsiScanBuffer” API.\r\nSet up persistence via registry for the next stage malware payload dropped to disk using the\r\nHKCU\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run keys.\r\nDownloaders\r\nThroughout March and April 2021, the attackers utilized downloaders to download and execute the RAT payloads\r\nfrom remote locations. The earliest versions of this loader used RunPE DLLs to inject the malware payloads into a\r\nspecified target process via hollowing.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 3 of 25\n\n.NET loader utilizing RunPE.dll to inject AveMaria RAT payload into InstallUtil.exe.\r\nIn May 2021, the attackers used the next iteration of their C#-based downloader that reaches out to a decoy URL\r\nand only proceeds with execution if the communication process fails.\r\nDownloader reaching out to a decoy URL and executing actual functionality in the catch code block.\r\nThis downloader then proceeds to patch the “AmsiScanBuffer” API, establishes persistence for the next stage\r\npayload and invokes it at the end. The payload in the next stage consists of legitimate .NET-based applications\r\ntrojanized with the ability to decrypt and deploy the NetwireRAT malware.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 4 of 25\n\nAMSI bypass, persistence and invocation by the loader.\r\nToward the beginning of June 2021, the attackers started experimenting with the use of Pastebin as a payload-hosting platform. The downloader reached out to a Pastebin URL via cURL to download and inject the payload\r\ninto its own running process.\r\nEvolution of the downloaders:\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 5 of 25\n\nLoaders with embedded payloads\r\nThe attackers modified open-source projects with code to load trojanized .NET-based binaries as loaders for the\r\nRATs dating as far back as December 2020. One of the droppers we analyzed is based on the Pangantucan\r\nCommunity High School library management system application.\r\nIt is likely that the loader is based on a crypter available to the attackers since we’ve observed other crimeware\r\nfamilies such as Formbook use similar loaders to infect their targets.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 6 of 25\n\nThe original application Initialization code for Form1.\r\nThe same function in the trojanized version calls a constructor to the added ISectionEntry class.\r\nThe loader modified the Login form with a call to a function that loads a DLL loader with the assembly name\r\n“SimpleUI.” The second-stage loader is extracted from the .NET resource with the name “Draw.”\r\nThe assembly extracted from the Draw resource is responsible for decoding and loading a Netwire injector module\r\nwhich is stored as the AuthorizationRule bitmap resource in the original trojanized loader.\r\nAutorizationRule blob parsed as a bitmap image (464,147 bytes long).\r\nThe injector is responsible for deploying the netwireRAT binary present in its .NET resources into a target\r\nprocess, such as vbc.exe.\r\nStage 3 — Final payloads\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 7 of 25\n\nThe Netwire and AveMaria RAT families are eventually downloaded and executed on the victim machine. In some\r\ncases, we’ve also discovered the deployment of custom .NET-based file enumerator modules that generate and\r\nexfiltrate file path listings of specific file extensions on the infected systems.\r\nMaldoc infection chain variation\r\nIn one instance, the attackers used a different variation of the infection chain that starts with a malicious document\r\ndelivered to the victim. The macro in the maldoc downloads and executes a VBScript (VBS) instead of directly\r\ndownloading the malware payload.\r\nThe VBS contains many junk comments interlaced with the actual malicious code. The malicious code will\r\nexecute an encoded PowerShell command to download the next payload.\r\nThe PowerShell downloads a malicious archive and an unzip utility such as 7-Zip from a remote location. This\r\nutility unzips and runs the malware payload from the archive file. An example of the command used to unzip the\r\narchive is:\r\n7za.exe x -y -aoa -bso0 -bse0 -bb0 -bd \u003carchive_file_path\u003e\r\nDecoded PowerShell commands to activate the next-stage payload.\r\nInfection chain diagram:\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 8 of 25\n\nThe final payload in this infection chain is a loader for AveMariaRAT.\r\nArchive-based infections\r\nIn other infection attempts dating as far back as December 2020, the attackers hosted malicious ZIP archives\r\ncontaining malware payloads on compromised websites. It is likely that the URLs to these archive files were sent\r\nto victims to make them download and open the malware payload on their endpoints.\r\nThree distinct archives containing the malicious payloads.\r\nThe malicious binaries from the archives found thus far load and instrument NetwireRAT.\r\nPayload Analysis\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 9 of 25\n\nNetwireRAT\r\nNetwire is a highly versatile RAT consisting of multiple capabilities including:\r\nStealing credentials from browsers.\r\nExecute arbitrary commands.\r\nGather system information.\r\nFile management operations such as write, read, copy, delete files, etc.\r\nEnumerate, terminate processes.\r\nKeylogging.\r\nNetwireRAT keylogger.\r\nAve Maria/WarzoneRAT\r\nAve MariaRAT, also known as WarzoneRAT, is a commercial RAT available for purchase to malicious operators\r\nalthough there are cracked versions of Warzone available online.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 10 of 25\n\nWarzoneRAT capabilities (snip) as advertised by its authors.\r\nLike Netwire, WarzoneRAT is also packed with a variety of functionalities including:\r\nRemote desktop.\r\nWebcam capture.\r\nCredential stealing from browsers and email clients.\r\nFile management operations such as write, read, copy, delete files etc.\r\nExecute arbitrary commands.\r\nKeylogging.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 11 of 25\n\nReverse shells.\r\nEnumerate, terminate processes.\r\nReverse shell functionality in WarzoneRAT.\r\nFile enumerators\r\nApart from the two RATs, we’ve also observed specialized reconnaissance malware being deployed on the\r\nvictim’s endpoints instead of a RAT family. The attackers deployed a preliminary recon tool to enumerate specific\r\nfolders looking for certain file extensions. The file listings/paths found are uploaded to an attacker-controlled C2\r\nserver.\r\nThe locations targeted were:\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 12 of 25\n\nC:\\Users\\\u003ccurrent_user\u003e\\Downloads\\\r\nC:\\Users\\\u003ccurrent_user\u003e\\Desktop\\\r\nC:\\Users\\\u003ccurrent_user\u003e\\Documents\\\r\nC:\\Users\\\u003ccurrent_user\u003e\\OneDrive\\Downloads\\\r\nC:\\Users\\\u003ccurrent_user\u003e\\OneDrive\\Desktop\\\r\nC:\\Users\\\u003ccurrent_user\u003e\\OneDrive\\Documents\\\r\nThe file extensions searched for were:\r\n.txt, .doc, .dot, .wbk, .docx, .docm, .dotx, .dotm, .docb, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam,\r\n.xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .pdf\r\nFile enumerator malware module looking for specific file extensions.\r\nAnalyses and observations\r\nTargeting\r\nAn extremely common theme of maldocs and archives discovered in this campaign refers to the Government of\r\nIndia’s Kavach application. This is a two-factor authentication (2FA) application used by government employees\r\nto access their emails. This theme has been used recently by the SideCopy APT’s campaigns targeting Indian\r\ngovernment personnel, as well. Some of the malicious artifacts using the Kavach theme in the current campaign\r\nare named:\r\nKAVACH-INSTALLATION-VER-1.docm\r\nKAVACH-INSTALLATION-VER1.5.docm\r\nKAVACH-INSTALLATION-VER-3.docm\r\nkavach-2-instructions.zip\r\nkavach-2-instructions.exe\r\nKAVACH-INSTALLATION-V3.zip\r\nKAVACH-INSTALLATION-V3.exe\r\nOther file names indicating targeting of military and government personnel consist of:\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 13 of 25\n\nCONFD-PERS-Letter.docm\r\nPERS-CONFD-LETTER.exe\r\nAdmiral_Visit_Details_CONFD.exe\r\nPay and Allowance Details.xls\r\nCompromised websites\r\nThe attackers have relied on a combination of compromised websites and fake domains to carry out their\r\noperations — a tactic similar to that of the Transparent Tribe APT group. However, what stands out in this\r\ncampaign is the focus on compromising quasi-military or government-related websites to host malicious payloads.\r\nThis might have been done to appear legitimate to victims and analysts.\r\nFor example, the attackers compromised and maintained access to a quasi-defense-related website\r\ndsoipalamvihar[.]co[.]in belonging to the Defence Services Officers’ Institute (DSOI) using it to host netwireRAT-related payloads since January 2021. In another instance, the attackers compromised the website for the Army\r\nPublic Schools of India (apsdigicamp[.]com) to host a variety of malicious archives serving NetwireRAT again.\r\nOn the other hand, the attackers used a fake domain govrn[.]xyz in July 2021 to host  maldocs for their infection\r\nchains.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 14 of 25\n\nMalicious scripts and payloads hosted on a compromised website.\r\nInfrastructure\r\nThe compromised websites were used heavily to host artifacts from maldocs to RATs. However, these websites\r\nhosted a few other malicious artifacts as well. The artifacts scripts were used as:\r\nEmailers.\r\nWeb shells.\r\nCSRF PoC generator.\r\nFile uploaders.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 15 of 25\n\nNone of these scripts have been written from scratch or customized heavily by the attackers. This practise is in\r\nsync with their RAT deployments — neither the RAT payloads nor the infrastructure scripts have been modified\r\nexcept their configurations. The actual effort instead is put into social engineering and infecting victims.\r\nProliferation through emails\r\nA variety of mailers have been used by the attackers to proliferate the maldocs, archives and download links:\r\nTeamCC ninjaMailer v1.3.3.7\r\nLeaf PHPMailer 2.7\r\nLeaf PHPMailer 2.8\r\nThese PHP-based scripts are capable of configuring SMTP options and generating spear-phishing emails that can\r\nbe distributed to victims with malicious payloads or links.\r\nTeamCC NinjaMailer hosted by the attackers on one of the compromised sites.\r\nAdministration\r\nThe attackers utilized two types of management scripts to administer the compromised websites. PHP and Perl-based web shells maintain browser-based access to the sites and perform administrative actions such as file\r\nmanagement, process management and viewing file contents. The web shells used are:\r\nPhpSpy\r\nb374k 2.7\r\nOlder b374k web shell\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 16 of 25\n\nb374k web shell’s login page on the compromised site.\r\nOlder Perl-based b374k web shell hosted on a compromised site.\r\nThe attackers also deployed a file uploader utility (created by “Pakistan Haxors Crew”) to upload files to the sites\r\nwithout having to go through the web shells.\r\nFile uploader.\r\nConclusion\r\nThis campaign has been ongoing since the end of 2020 and continues to operate today. The attackers initially\r\ndeployed Netwire and Warzone RATs on the infected endpoints. The use of these RATs benefits an adversary\r\ntwofold — it makes attribution difficult and saves the effort to create bespoke implants. Beginning in July 2021,\r\nhowever, we observed the deployment of the file enumerators alongside the RATs. This indicates that the attackers\r\nare expanding their malware arsenal to target their victims: military and government personnel in India.\r\nInfection tactics including government-themed lures, deployment of commodity/commercial RATs and file\r\nenumerators and the use of compromised and attacker-owned domains indicates a strong resemblance to SideCopy\r\nand Transparent Tribe.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 17 of 25\n\nUnlike many crimeware and APT attacks, this campaign uses relatively simple, straightforward infection chains.\r\nThe attackers have not developed bespoke malware or infrastructure management scripts to carry out their attacks,\r\nbut the use of prebaked artifacts doesn’t diminish the lethality of these attacks. In fact, ready-made artifacts such\r\nas commodity or cracked RATs and mailers allow the attackers to rapidly operationalize new campaigns while\r\nfocusing on their key tactic: tricking victims into infecting themselves.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 18 of 25\n\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click below:\r\nWarzone/AVEMARIA\r\nNetwire registry\r\nNetwire downloader\r\nFile enumerator\r\nIOCs\r\nHashes\r\nMaldocs\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 19 of 25\n\n9b7c0465236b7e1ba7358bdca315400f8ffc6079804f33e2ca4b5c467f499d1f\r\neb40d1aab9a5e59e2d6be76a1c0772f0d22726dd238110168280c34695a8c48f\r\n6b0fde73e638cb7cdb741cff0cc4ec872338c106ffe0c3a6712f08cdb600b83d\r\n2b23c976b4aca2b9b61c474e0d6202644d97b48fa553cd6c9266c11b79d3cd13\r\n41b1c3fa6b8a11fde6769650977d7bc34e0da91a23dd2b70220beec820e17d7a\r\ne6a73ef757c834e155a039619a1fdb1388f2a7ebe80accae8d13deeb3fd66471\r\n89280f7e1785b1c85432b4cf3a284e44d333b2a1a43a2e52d7ce8680a807be03\r\n302a973dc432975395c5f69a4c8c75bfffc31350176f52bddb8e4717bdbad952\r\n5d3220db34868fc98137b7dfb3a6ee47db386f145b534fb4a13ef5e0b5df9268\r\n62a890cce10f128f180d6e2b848ffff42e32859fe58a023b2bdb35dbe0a1713b\r\n0d64fd162d94601ddd806df804103f3713c4aa43c201fffb9c92783c29d6094c\r\n824bb11ef1520aecca35ad9abd8e043e4e00193668590d4aee2a41f205db7388\r\nbdb40d5e73e848ada64f334eddd184fb67e2fcdc149248db641bb8d804468f1d\r\neef5e86ebff5c59204009f4d421b80518ce3edf9c9b1bb45fb2197d9f652a927\r\nc1eba59ce0ff5d8f57fe0ae0a9af20cb0fa725fc05a58869bb0b85c2d3b815fb\r\nDownloaders\r\n49485a737673365489cb89ef1f5c29545051b33aa1642a8940e15ad281b76dfc\r\na8c67a11ed522bf597feb8b50a5b63f12a5ac724ae6adcc945475654128f6d64\r\nf8748c726bda6d67c7130aae8777d7dcb5b0cca8695041b290e9d9cb95a0a633\r\n3cdedd433c9dde56bfa0a6559a97287c7aec3346178ce2d412a255d8ed347307\r\n626f00a260880c6bfa0a955fd0c89336a691e438c4bc9206182a05db3774b75a\r\n89db68dcdbae6fca380029c1e5c5158fb5d95db8034f1ee7dbac36cf07057828\r\n68ddb86dd74285a0b6f12ec8adca9a8ea4569ef1143bec9e8ebe411b2a71720f\r\nc8ffb9d14a28fbc7e7f6d517b22a8bb83097f5bc464c52e027610ab93caec0d6\r\nRunPE loader DLL\r\nd09cac8cd7c49b908e623220a9b2893822263ae993c867b5bd4fce562d02dcd5\r\nC# based netwire loaders\r\n5965bba31eb30dedf795012e744fe53495d5b0c1bea52eea32e9924819e843d1\r\n455ac9cc21fcb20a14caa76abd1280131fecae9d216b1f6961af2f13081c2932\r\n304c2f88ccd6b0b00cfcb779b8958d9467c78f32b7177949899d3e818b3b9bed\r\ncf2261c7911f8481f7267b73b64546ca851b5471dab3290ce0140f956823348a\r\n6f8267a673ca5bc9fa67198c9c74d34109baf862f9194bbb0ebcc7ddd7b66b91\r\nea201379e3d7343fc7a8fbe0451766f1cea36b66c13cfbf78c4ac7ffb1eb3d93\r\n1455a003412e344d60c8bad71977aa42bb9825cffa5417e45b08070b14e5df3f\r\nnetwireRC\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 20 of 25\n\n91acdc04a03134c17ccff873f10e90c538ed74c7ab970b9899ac5c295e165a75\r\nb76be2491b127a75c297b72e1cf79f46f99622ddf4ba3516a88b47d9b6df9131\r\nd5b7edfc886c8228197b0cf20ab35f1bc0b5c652b1d766456d4e055ba6c9ea6e\r\nfd413ec8d9d798c28fc99c0633e6477f6eabc218788ad37c93be4de758a02962\r\ncf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42\r\n8284550711419f4c65083dc5de3c6b92164d8d0835ec864e9a2db9c4c0d067e4\r\n5f6571251fd36a4ec0b101c3b0be4099bc1c812d57bef57f310291d314e638ba\r\n39ff95ecb1036aab88a146714bb5b189f6afc594ecf8ffbe8b123d1579a3a259\r\n3e59b3504954efd9b4231cb208296ed9f19f4430e19db81e942b304ee0255324\r\ncd43bac8f7a0a3df4f654ed698f5828db7a05c771956b924bfd6bd5ba09e2360\r\n051f67ba58bd2b7751541bf2eb3a09642a00a43052c0d3487a182345828ee076\r\naa3d57993bbc7aefdc05e0e99ccdb5e884aa530ae90437157c7ba2308d9c4d3c\r\n8ce30043aba8c9ad33c11c3de152fe142ba7b710384f77d332076957d96e19b2\r\n5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a\r\n2a7f0af4650edb95eb7a380de6d42db59d8dd220bb4831e30e06450e149eea49\r\n7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244\r\n977d5b4b945cfce92e40e4d5447626f3ffb7697d98f651b9598edfd58074b9c0\r\n98337b43e214906b10222722607f76d07a5c0419a9dc3b3af415680c60944809\r\n2443e8ccdf51e82d310466955a70013155c139564672b2f79db7209207776bd2\r\nde10443785cf7d22db92fada898a77bc32c7505931b692110d2d5cd63c5b4853\r\nWarzone/AVEMARIA\r\nb891fad315c540439dba057a0f4895ae8bae6eed982b0bf3fb46801a237c8678\r\naa2b8412cf562c334052d5c34a2e5567090e064b570884d6f4d3e28806822487\r\n999f4892d10eb6cfabe172338c1e7dd3126a2cd435bdb59748178f1d4d2d3b33\r\n140e0524f4770fc2543b86f1d62aaa6b3018c54e40250040feaa2f24bdbe974d\r\n0df12b0f704dbd5709f86804db5863bd0e6d6668d45a8ff568eefbaa2ebfb9fd\r\n369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd\r\n480e57131bd186e31ab5ea534381d7b93c8030f8b5757bde9d0b6039efa3e64d\r\nFile Enumerators\r\ndf780cccc044ee861af1089eb7498a612e6d740a609e500fd3c2a35d2c9c31e0\r\na20970aa236aa60d74841e7af53990c5da526f406c83fd1bedb011290517d9b0\r\n54a65835dc5370b089c38414972c8da589512cf73b159e8187cdda62092dc463\r\n3634b81f8b91d723733cc44429d221e53b2a7bf121e42bd26078602f4ff48f86\r\nVBS\r\ne9edb427d080c0a82e7b1c405171746cb632601b3d66f9d7ad5fa36fd747e4e4\r\nMalicious archives\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 21 of 25\n\n2f98235351c6d6bafbb237195f2556abde546578aefd7d94f8087752551afc15\r\n87fc9901eb7c3b335b82c5050e35458a2154747cd3e61110eed4c107f4ffada9\r\nb4c0f24a860f14b7a7360708a4aee135bf1a24d730d7794bc55e53a31a0e57a5\r\nba710351cfdf6b198d7479a91e786562ddb5e80db5dc9ad42278093a3395fca9\r\n8e7d5805a104dc79355387dbd130e32d183b645f42f7b35c195041d1cf69f67e\r\n2b7ac9063a530e808ffac5cf9812d850dd5fa4d1f014ba5134ad023fde503d21\r\nde245cd946e48a4b1c471b17beff056b1a2566770a96785208c698f85fb73db2\r\n689f3ff0a3331e198ea986864b2b23a62631c930d83b971382b4732474884953\r\n3794cfe8f3da39924cabd03d74aa95fb5d0c25c73d09cc99ad95c3f4e17252b8\r\n5a351acfe61a0ad9444b8d23c9915d7beb084abd7b346b9d064e89914552596d\r\nMalicious server side scripts\r\na8af6228296bc9ac2cd7b7bf503c9755947c844fec038255189a351bcb92bb6d\r\nb54f21a5d20457424440fdf5a57c67924854b47cf85d6a5f26daeaf183e82b69\r\n8ea420deaa86c778fc6a3b1b22bd0c2ea822089e948ad8f113c9e5b0539e92a7\r\nc86f6fdb6b360c12de1f75c026dc287aa9de1b8e9b5e5439eeab9e33de3e475e\r\n8cca06ea80a92f31418f2ed0db5e1780cc982ab185f9bf15fa6f396b561aad1f\r\nb9b04fcae747407b9e5ddec26438d9edf046de0745ea4175e4d534a7b575d152\r\n4ded1042a6cd3113bb42c675257d7d0153a22345da62533bd059d9bdd07c000f\r\n65ed397a4a66f45f332269bec7520b2644442e8581f622d589a16ad7f5efbf82\r\nc6ea094954a62cf50d3369f6ea1d9e7d539bb7eb6924005c3c1e36832ed3d06e\r\nc9a88d569164db35c8b32c41fda5c3bd4be0758fa0ea300f67fbb37ddc1f3f8d\r\nc75cc5af141dc8ea90d7d44d24ff58a6b3b0c205c8d4395b07de42d285940db1\r\n8b4a7d6b3de3083a8b71ec64ff647218343f4431bbb93a6ce18cb5f33571a38e\r\n37d0d9997776740ae3134ec6a15141930a9521cd11e2fbb8d0df6d308398f32e\r\nNetwork IOCs\r\nMaldoc download locations\r\nhxxp://service[.]clickaway[.]com//ccrs_tool/uploads/722CDfdBpfUbRyg.bbc\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/feedback.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/Security-Updates.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/r.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/abc/r.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/abc/CONFD-PERS-Letter.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/KAVACH-INSTALLATION-VER1.5.docm\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/ma/KAVACH-INSTALLATION-VER-1.docm\r\nhxxps://aps[.]govrn[.]xyz/schedule2021.docm\r\nLoader/RAT download locations\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 22 of 25\n\nhxxp://www[.]bookiq.bsnl.co.in/data_entry/circulars/QA2E.exe\r\nhxxp://www[.]bookiq.bsnl.co.in/data_entry/circulars/Host1.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/mac.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/mmaaccc.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/mac.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/mmaaccc.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/mmaaccc.exe\r\nhxxp://www[.]bookiq[.]bsnl[.]co[.]in/data_entry/circulars/Host1.exe\r\nhxxp://bookiq[.]bsnl[.]co[.]in/data_entry/circulars/Host.exe\r\nhxxps://kavach[.]govrn[.]xyz/shedule.exe\r\nhxxp://unicauca[.]edu[.]co/regionalizacion/sites/default/files/kavach-1-5/Acrobat.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/mac.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/maaccc.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/maacc.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/VPN.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/conhost213.exe\r\nhxxp://45[.]79.81[.]88/ccrs_tool/uploads/new_war.exe\r\nhxxp://45[.]79.81.88/ccrs_tool/uploads/private.exe\r\nhxxp://45[.]79[.]81[.]88/ccrs_tool/uploads/notice.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/conhost123.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/Host1.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/mac.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/maaacccc.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/maaccc.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/maacc.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/VPN.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/new_war.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/ma/mmmaaaacccccc.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/client.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/private.exe\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/notice.exe\r\nhxxp://service[.]clickaway[.]com/swings/haryanatourism/gita-jayanti/invited.exe\r\nhxxp://service[.]clickaway[.]com/swings/haryanatourism/gita-jayanti/details.exe\r\nhxxps://www[.]ramanujan[.]edu[.]in/cctv-footage/footage-346.exe\r\nhxxp://thedigitalpoint[.]co[.]in/zomato/vouchers/zomato-voucher.zip\r\nhxxp://66[.]154[.]112.212/GOM.exe\r\nhxxps://dsoipalamvihar[.]co[.]in/manage/OperatorImages/exe/GOM_Player.exe\r\nFile Enumerator C2s\r\nhxxp://64[.]188[.]13[.]46/oiasjdoaijsdoiasjd/\r\nwarzone/AveMaria C2s\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 23 of 25\n\n5[.]252[.]179[.]221:6200\r\n64[.]188[.]13[.]46\r\nnetwireRC C2s\r\n66[.]154[.]103[.]106:13374\r\n66[.]154[.]103[.]106:13371\r\n66[.]154[.]103[.]106:13377\r\nMalicious archive download locations\r\nhxxps://www.unicauca[.]edu[.]co/regionalizacion/sites/default/files/Meeting-details.zip\r\nhxxps://www.unicauca[.]edu[.]co/regionalizacion/sites/default/files/kavach-1-5/kavach-2-instructions.zip\r\nhxxp://www.unicauca[.]edu[.]co/regionalizacion/sites/default/files/kavach-1-5/KAVACH-INSTALLATION-V3.zip\r\nhxxps://dsoipalamvihar[.]co[.]in/pdf/important_notice.zip\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/acc/cctv-footages/student-termination-and-proof.zip\r\nhxxp://beechtree[.]co[.]in/Admin/IconImages/progress-reports/Progress-report-43564.zip\r\nRunPe download URLs\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/RunPe.dll\r\nMisc URLs\r\nhxxps://www[.]dropbox[.]com/s/w8tc18w2lv1kv6d/msovb.vbs?dl=1\r\nhxxps://www[.]dropbox[.]com/s/lt7a981theoyajy/adobecloud.7z\r\nhxxps://pastebin[.]com/raw/mrwtZi34\r\nMalicious server-side script URLs\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/mailer.php.zip\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/mailer.php/mailer.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/mailer.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/4O4.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/b374k_rs.pl\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/pack.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/cc.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/resume/leafmailer2.8.php\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/acc/oodi.html\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/progress-report/\r\nhxxp://lms[.]apsdigicamp[.]com/webapps/uploads/progress-report/index.html\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/1594066203_4O4.php\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/mailer.php\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/leaf.php\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 24 of 25\n\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/leafmailer2.8.php\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/1622640929_myshell.php\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/newfil.html\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/1594066203_ang3l.html\r\nhxxp://service[.]clickaway[.]com/ccrs_tool/uploads/1594066203_up.htm\r\nSource: https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nhttps://blog.talosintelligence.com/2021/09/operation-armor-piercer.html\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html" ], "report_names": [ "operation-armor-piercer.html" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b01b0683-5c7c-4070-ba0c-4fdede370995", "created_at": "2022-10-25T16:07:23.925692Z", "updated_at": "2026-04-10T02:00:04.79318Z", "deleted_at": null, "main_name": "Operation Armor Piercer", "aliases": [], "source_name": "ETDA:Operation Armor Piercer", "tools": [ "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Recam", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc9427cc952696d0cc49504bc987a87015c67c95.pdf", "text": "https://archive.orkl.eu/bc9427cc952696d0cc49504bc987a87015c67c95.txt", "img": "https://archive.orkl.eu/bc9427cc952696d0cc49504bc987a87015c67c95.jpg" } }